Red Hat Bugzilla – Bug 626262
bind doesn't include the dns root key
Last modified: 2013-04-30 19:46:59 EDT
+++ This bug was initially created as a clone of Bug #626238 +++
Description of problem:
The DNS root key has been signed since 15 July 2010. The bind configuration does not include the DNS root key for validation by default.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install bind
2. Look for the DNS root key in the configuration
It's not there
It should be there, near the DLV keys (which are still useful until all the TLDs get signed)
Root key is included in the Fedora 14 (/etc/named.root.key). I'm not going to release update for F13 which will add the root key. If you think I should reconsider this decision, please reopen this bug. Closing.
What's your rationale?
(In reply to comment #2)
> What's your rationale?
Well, in my opinion it's not a good idea to modify default named.conf and include root DNSKEY there because it can cause serious problems (root domain and all it's signed subdomains will be validated instead of domains in DLV).
If I include the root DNSKEY in the bind package then, I think, vast majority of people will miss this change and they don't modify their named.conf.
Due those reasons I think root DNSKEY inclusion in Fedora 13 doesn't bring any benefit. However as I said in comment #1, if you think I should reconsider my decision then please reopen this bug and I will release an update.
I think you should reconsider.
You can still validate against both the root and the DLV. Looking at just the TLDs, 37 are in the root and not the DLV, another 9 are in both, and only arpa and kg are in the DLV and not in the root (as of root serial 2010110801). Even so, there are still people using the DLV until .com and .net get secured (ripe.net, etc), so the DLV has use yet.
Also, since the format of the root key at the IANA url is different from BIND's, getting the root key via a signed Fedora package is easier & more trustworthy for a less-savvy user, even if you don't choose to enable the root key by default (though if you can reliably do so without breaking configs, I think you should).
bind-9.7.3-1.fc14 has been submitted as an update for Fedora 14.
bind-9.7.3-1.fc15 has been submitted as an update for Fedora 15.
bind-9.7.3-1.fc13 has been submitted as an update for Fedora 13.
bind-9.7.3-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update bind'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc14
bind-9.7.3-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.7.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.7.3-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.